You already use a software-only approach to passkey authentication - why that matters

Yuichiro Chino/Moment via Getty Images

Follow ZDNET: Add us as a preferred source on Google.

ZDNET's key takeaways

• Passkeys are a type of credential designed to replace less secure passwords.
• Using a passkey depends on one of three types of authenticators: platform, virtual, or roaming.
• Virtual authenticators are software-only authenticators typically included with password managers.

Whether you like it or not, most of your online accounts are on course to have their passwords replaced with a more secure type of credential known as a passkey. In cybersecurity circles, passwords are often discussed as "shared secrets." How passwords work (during the initial registration process and subsequent login attempts): You have to first share them with all the apps and websites (collectively referred to as "relying parties") that you use. Unfortunately, shared secrets like passwords have proven to be one of the most vulnerable aspects of the internet.  

Also: How passkeys work: The complete guide to your inevitable passwordless future

Not only are we humans notorious for relying on highly insecure and unimaginative passwords, despite a barrage of advice to the contrary, but we are also regularly tricked into sharing them with hackers who rely on manipulative social engineering techniques, such as phishing and smishing, to trick us into sharing our passwords with them. 

After decades of compromises, exfiltrations, and financial losses resulting from inadequate password hygiene, you'd think that we would have learned by now. However, even after comprehensive cybersecurity training, research shows that 98% of users are still easily tricked into divulging their passwords to threat actors. 

Realizing that hope -- the hope that users will one day fix their password management habits -- is a futile strategy to mitigate the negative consequences of shared secrets, the tech industry got together to invent a new type of login credential. The passkey doesn't involve a shared secret, nor does it require the discipline or the imagination of the end user. Unfortunately, passkeys are not as simple to put into practice as passwords, which is why a fair amount of education is still required.

The big ideas behind passkeys

The three big ideas behind passkeys are:

• They cannot be guessed (the way passwords can -- and often are).
• The same passkey cannot be reused across different websites and apps (the way passwords can).
• You cannot be tricked into divulging your passkeys to malicious actors (the way passwords can).

Passkeys still involve a secret. But unlike passwords, users just have no way of sharing it -- not with legitimate relying parties and especially not with threat actors. Instead, passkeys rely on a standard public/private key cryptographic workflow where users simply have to prove they are in possession of the secret without ever having to share it. To learn more about how passkeys work behind the scenes like this, see ZDNET's six-part series on how passkeys work. 

Also: How I easily set up passkeys through my password manager - and why you should too

The word "passkey" is actually a nickname for a FiDO2-compliant credential. The FIDO2 standard is governed by the multi-vendor FiDO Alliance and is technically an amalgamation of two other standards: the World Wide Web Consortium's (W3) WebAuthn specification and the FIDO Alliance's Client-to-Authenicator Protocol (CTAP). The "authenticator," that's a part of the CTAP standard, is the subject of this four-part series. 

According to the W3's WebAuthn standard, there are three types of authenticators: platform, virtual, and roaming. In addition to your browser, operating system, and the relying parties that you're logging into, the authenticator is critical to any passkey-based workflow. While the authenticator is typically offered as an integral component of your password manager, it is sometimes packaged as a separate component

Although a relative handful of relying parties -- such as Apple, Google, Microsoft, PayPal, and Kayak -- are supporting passkeys as a type of login credential, there's no telling how long it will take for the long tail of websites and apps to make the shift. 

Also: Your passkeys could be vulnerable to attack, and everyone - including you - must act

However, as more relying parties make that transition, users will need to improve their understanding of passkeys and how best to equip themselves to rely on them. As such, it's important to understand the role played by various authenticator types during a typical passkey workflow (i.e., a passkey registration ceremony or passkey-based authentication) and what to consider when choosing one or more authenticators. (Yes, you can work with more than one.) 

In this third part of ZDNET's four-part series on passkey authenticators, I'll discuss the virtual authenticator and what makes it different from the platform and roaming authenticators.

'Virtual' is about a software-only approach

In most situations where users are working with passkeys but not using one of the platform authenticators, they'll most likely be working with a virtual authenticator. These are essentially BYO authenticators, none of which rely on the device's underlying security hardware for any passkey-related public key cryptography or encryption tasks, unlike platform authenticators.

Here's the idea behind BYO: Instead of using an authenticator that's already built into your device and largely controlled by its operating system (as is the case with platform authenticators from Apple and Microsoft), you install and configure a third-party substitute to take over the role of authenticator and credential manager. 

Also: The best password managers: Expert tested

Often referred to as password managers (even though they manage more than passwords), the market demand for virtual authenticators is supported by a long list of offerings, including but not limited to 1Password, BitWarden, Dashlane, LastPass, and NordPass. 

What about Google's Chrome? As I discussed earlier, the credential management and authentication capabilities found in Google's Chrome could be considered either platform or virtual. I tend to think of Chrome as a virtual authenticator, since, with the exception of Android, it must be deliberately installed by the user on most computing devices.

The players in this category compete with each other on features, cost, configurability, supported browsers and operating systems, and suitability to individual users versus organizations. Some, like BitWarden, offer both free and paid versions (the latter of which is typically more feature-complete). 

Cross-platform compatibility

Whereas platform authenticators and their associated credential management capabilities tend to offer limited functionality and configurability, third-party virtual authenticators typically provide a wide variety of user-friendly features that make them more attractive to certain users with specific preferences. 

For example, whereas some virtual authenticators cater to the unique needs of enterprises and other businesses, others may be more geared toward personal users. Additionally, one of the biggest differences between platform and virtual authenticators is in the platforms they support. For example, Apple's iCloud Keychain supports Apple's operating systems, and Microsoft's platform authenticator currently favors Windows 10 devices and above. However, most virtual authenticators prioritize both cross-platform and cross-browser compatibility. Such is the competitive nature of the business. 

The vendors behind these virtual authenticators know they're competing not only with the cost-free nature of platform authenticators (which are built into various operating systems and browsers). The vendors also know they're competing with each other on the basis of the platforms and browsers they support. To the extent that virtual authenticators are an integral part of the various password managers, most third-party password managers offer browser plug-ins across the major browser offerings (Chrome, Edge, Firefox, and Safari). Additionally, they tend to offer native applications for each of the major desktop and mobile operating systems, as well as web-based access to their features and functionalities.

Also: I'm ditching passwords for passkeys for one reason - and it's not what you think

Here's another way virtual authenticators differentiate themselves from their platform-based counterparts: Self-hosting of synchronization capabilities. In the same way that Apple and Microsoft utilize their clouds as credential synchronization hubs, most virtual authenticators offer synchronization capabilities through their own clouds, and some even allow customers to substitute their own synchronization hubs. This option is particularly useful for organizations that have varying levels of concern about their sensitive data being stored in a vendor-operated cloud. 

In the final segment of this series, I'll cover the third type of authenticator: the roaming authenticator.